Hello everyone, My company has been approached by a healthcare facility to do a pen test. I am wondering if anyone on here has any experience with regulations or certain things that need to be done specifically with healthcare. Specifically HIPPA regulations.

I have done some research and the only thing I have found was a NIST document relating to the HIPPA Security Rule. That details risk analysis from an internal stand point but I am not sure how it takes into account specifically a targeted attack from a contracted company. I know that legally there have to be a business associate agreement but past that I haven't found anything else.

One thing to strongly consider and discuss with the client would be the need for a BAA (Business Associate Agreement). A BAA is a contract between a healthcare provider and a business that may have access to PHI (Protected Health Information), which is possible during a penetration test. Even if you narrowly scope it to avoid things like an EMR (Electronic Medical Record) system, a tester may run into PHI. I recently ran across a drug screen result report on an employee laptop during an investigation. It was their report, but it was PHI that needs authorization for access.

HIPAA does not require "penetration testing" specifically as a method to test certain controls. However, HIPAA does require that controls are frequently audited (just like any other "compliance thing") and that certain controls are in place (compliance thing again) to protect health information. Looking at recent audits, risk assessments, or other testing would be a good place to start when scoping the pen test.

Also remember, determine which systems are critical. In the case of a healthcare provider, it can really be a case of life or death if a critical system goes down. If a first responder alert system stops "talking", it is a pretty big deal.

That's a start...

(Took a while to type this up...but like you said above - BAA.) Look into the requirements for HIPAA and understand why it was started and what the goal of it is. The requirements are actually more straightforward and simple than things like SOX. Get balls deep into it all and figure it out. Lots of stuff out there.

Thanks! That is a great start thank you for you help and pointing me in the right direction. I do agree though that a BAA is a very huge piece that needs to be in place before anything can happen on either side.

I am sure that the client would know enough to require a BAA, but looking into why will help you understand that they aren't just being jerks; it really is a strong requirement to protect them (and patients and employees as well).

Good luck with all of it and let us know if you have any other questions, or just how it goes in general, once it gets into full swing.